PSA: update your DNS resolvers (PiHole, unbound, Bind9, dsnmasq) to patch DNSSEC vulnerability

Selfhosted@lemmy.world – 145 points – 5 months ago

Researchers recently found a vulnerability in the way DNS resolvers handle DNSSEC validation that allow attackers to DoS resolvers with a single DNS request

https://www.theregister.com/2024/02/13/dnssec_vulnerability_internet/

It is highly recommended to upgrade your resolvers to the following versions:

unbound: 1.91.1
PiHole: FTL 5.25 or Docker 2024.02.0
Bind9: 9.19.17
dnsmasq: 2.90
and probably any other resolver you use

Wouldn't the attacker have to be on the same network as the resolver for this to work? Or could it be triggered by a "dirty hostname"? Because in the former case, most home networks would not be at much risk.

It's the latter. Unless you run your own DNS resolver, most people are safe

Thanks for the heads -up.

Sorry if this is a basic question. So if I have a pihole, do I just need to update the Raspberry Pi software, along with updating pihole software to resolve the insecurities? Or do I need to change the DNS settings of the pihole?

If you use a third-party's DNS server (such as Cloudflare, Quad9 or Google) as your upstream DNS server, you only have to update PiHole.

If you have set up your own upstream DNS server using a DNS resolver like unbound or Bind9, update it as well as your PiHole.

Makes sense, thanks for the response.

You need to update Pihole

What's the status of SmartDNS (that is used by OpenWRT and DD-WRT) on this? Anyone knows anything?

I struggle to find if it uses DNSSEC or even a change log. If it does, contact the maintainer and disable DNSSEC (if you can) until a fix is released.

Not sure why, but on Synology with docker, the pihole:latest releases are usually a mess and restoring settings and client lists does not work. Unfortunately, only “latest -2” seems to work most of the time.

¯\_(ツ)_/¯

What about on mobile? Those of us who use dns filtering on mobile.

I'm not familiar with off-the-shelf DNS filtering on mobile, but since running a DNS resolver on-device would be impractical, I think they must be using a DNS server that they maintain. Which means that unless I'm wrong, the vulnerability lies on their end, you should be fine.

I been using rethink dns but ik their are other for android at least. Works by making a local vpn magic.

They maintain their own resolver, so they have to patch it if not done already.